Security team successfully cracks SSL using 200 PS3's and MD5

Joe Greco jgreco at
Fri Jan 2 17:33:48 UTC 2009

> On Fri, 02 Jan 2009 09:58:05 CST, Joe Greco said:
> > Anyways, I was under the impression that the whole purpose of the
> > revocation capabilities of SSL was to deal with problems like this, and
> > that a large part of the justification of the cost of an SSL certificate
> > was the administrative burden associated with guaranteeing and maintaining
> > the security of the chain.
> What percentage of deployed browsers handle CRL's correctly?
> Consider this snippet from the page (section 6.1):
> "One interesting observation from our work is that the rogue certificate we
> have created is very hard to revoke using the revocation mechanism available in
> common browsers. There are two protocols for certificate revocation, CRL and
> OSCP. Until Firefox 3 and IE 7, certificate revocation was disabled by default.
> Even in the latest versions, the browsers rely on the certificate to include a
> URL pointing to a revocation server. Our rogue CA certificate had very limited
> space and it was impossible to include such a URL, which means that by default
> both Internet Explorer and Firefox are unable to find a revocation server to
> check our certificate against."
> Hmm... so basically all deployed FireFox and IE either don't even try to do
> a CRL, or they ask the dodgy certificate "Who can I ask if you're dodgy?"
> What's wrong with this picture?  (Personally, I consider this a potentially
> bigger problem than the MD5 issue...)

I suppose I wasn't sufficiently clear.

It seems that part of the proposed solution is to get people to move from
MD5-signed to SHA1-signed.  There will be a certain amount of resistance.
What I was suggesting was the use of the revocation mechanism as part of
the "stick" (think carrot-and-stick) in a campaign to replace MD5-based
certs.  If there is a credible threat to MD5-signed certs, then forcing
their retirement would seem to be a reasonable reaction, but everyone here
knows how successful "voluntary" conversion strategies typically are.

Either we take the potential for transparent MitM attacks seriously, or 
we do not.  I'm sure the NSA would prefer "not."  :-)

As for the points raised in your message, yes, there are additional
problems with clients that have not taken this seriously.  It is, however,
one thing to have locks on your door that you do not lock, and another
thing entirely not to have locks (and therefore completely lack the
ability to lock).  I hope that there is some serious thought going on in
the browser groups about this sort of issue.

We cannot continue to justify security failure on the basis that a
significant percentage of the clients don't support it, or are broken in
their support.  That's an argument for fixing the clients.

... JG
Joe Greco - Network Services - Milwaukee, WI -
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

More information about the NANOG mailing list